In recent months, we have observed that the frequency and intensity of requests made by users to the Projects, Groups, and Users APIs have increased significantly. This has resulted in an increased load on our servers, which has impacted the performance and stability of our platform for all users. To address this issue, we have decided to introduce rate limitations for all users. Starting with GitLab 18.0 for GitLab Self-managed and Dedicated, and October 15th for GitLab.com, all users will be subject to rate limitations when using the Projects, Groups, and Users APIs.
What are the Projects, Groups, and Users APIs?
The Projects and Groups APIs provide information about GitLab projects and groups, including name, description, and other metadata. The Users API provides information about GitLab users. These APIs are widely used by our community, including researchers, developers, and integrators, to retrieve and analyze information about GitLab projects, groups and users. We value this usage and aim to support it as much as possible.
Rate limitation details
All users of the Projects, Groups, and Users APIs will be rate-limited. The limits per endpoint are as follows:
| Endpoint | Rate limit per user or IP |
|---|---|
| GET /api/v4/users/:id/followers | 100 requests per minute |
| GET /api/v4/users/:id/following | 100 requests per minute |
| GET /api/v4/users/:user_id/status | 240 requests per minute |
| GET /api/v4/users/:user_id/keys | 120 requests per minute |
| GET /api/v4/users/:id/keys/:key_id | 120 requests per minute |
| GET /api/v4/users/:id/gpg_keys | 120 requests per minute |
| GET /api/v4/users/:id/gpg_keys/:key_id | 120 requests per minute |
| GET /api/v4/users/:user_id/projects | 300 requests per minute |
| GET /api/v4/users/:user_id/contributed_projects | 100 requests per minute |
| GET /api/v4/users/:user_id/starred_projects | 100 requests per minute |
| GET /api/v4/projects | 2000 requests per 10 minutes |
| GET /api/v4/groups/:id/projects | 600 requests per minute |
| GET /api/v4/projects/:id | 400 requests per minute |
| GET /api/v4/groups | 200 requests per minute |
| GET /api/v4/groups/:id | 400 requests per minute |
We rate-limit based on user for authenticated requests and based on IP for unauthenticated requests. We use the same value for both IP and user. The stated limits have been selected based on average usage patterns and should provide sufficient headroom for most use cases.
If a user exceeds this limit, the user will receive a "429 Too Many Requests" response. On GitLab.com, this limit cannot be changed. Users of GitLab Self-managed instances have the same rate limitation set by default, but admins can change the rate limits as they see fit via the UI or the application settings API. They can also set the rate limit to zero, which acts as if there is no rate limitation at all.
We understand that this change may impact some of our users who rely on the Projects, Groups, and Users APIs, and we apologize for any inconvenience this may cause.
If you have any questions or concerns about this change, please leave feedback in this issue.
